New in 13.1.0

F5 DDoS Hybrid Defender

This release introduces a new version of DDoS Hybrid Defender, a hybrid DDoS solution that offers comprehensive protection, high availability, and is easy to deploy and manage. It guards against aggressive volumetric and targeted DDoS attacks, includes hardware-assisted DDoS mitigation, and optionally, connects with Silverline, a cloud-based scrubbing service. DDoS Hybrid Defender defends the application infrastructure with a multi-layered defense that combines DDoS protection for Layer 3 and Layer 7, hardware-accelerated DDoS attack mitigation (with TurboFlex features), and SSL decryption capabilities.

DoS Protection Enhancements

Several enhancements improve DoS protection in DDoS Hybrid Defender. More vectors can be configured so that the system automatically determines appropriate threshold values (Fully Automatic). A partially automatic setting also lets you manually set threshold values, yet let the system perform mitigation as needed (Manual Detection/Auto Mitigation). You can disable DoS vectors globally if they are not relevant for your network configuration. Additional internal enhancements improve the effectiveness of DoS protection in both hardware and software.

Virtual Wire Deployment

You can install DDoS Hybrid Defender is using a simple virtual wire deployment, where minimal configuration is needed. The virtual wire allows seamless integration into the network yet still provides full DoS protection.

DNS Behavioral

You can set up the system to use behavioral analysis and machine learning of traffic flows to automatically discover and mitigate DoS attacks on DNS servers and ICMP protocol.

VLANs and Scrubbing

You can now specify which VLANs to include or exclude for scrubbing.

Known issues

The following known issues apply to the current release of DDoS Hybrid Defender.

ID number

Description

599520

If the Help tab in the left pane is open when you edit a protected object, the help does not display.

Workaround: Click the Main tab, then return to the Help tab to display the help.

600028

When configuring Bad Actor Detection in Device Configuration, the number of packets per second (PPS) is per core (TMM).

Workaround: When specifying PPS for system-wide Bad Actor Detection, multiply by the number of cores (TMMs) on your system.

600031

Hardware accelerated DoS protection drops packets based only on source IP address. A sampling of packets is "leaked" to the DoS software to provide visibility for logging and reporting. For this reason, the system provides the total packets dropped based on source IP address.

600039

The Detection Threshold setting for a DoS attack is per core (TMM), not per device. Since the system has multiple cores (TMMs), the total traffic may be greater than the configured threshold if each core (TMM) sees traffic below the threshold. In this case, the attack is not detected.

Set a configured value reflecting the overall total required value divided by the number of cores (TMMs). The number of cores (TMMs) varies by platform. For example, for VE, there are two, by default. The 5250 platform has 8 cores (TMMs). Note that if traffic is unevenly distributed, one core (TMM) may reach the detection threshold while the other cores (TMMs) are still relatively idle. As a result, the device may detect an attack while processing traffic at fairly low levels overall.

611752

The maximum number of protected objects that you can create on DDoS Hybrid Defender is 40.

Workaround: If you need support for creating more than that, follow these steps:

DDoS Hybrid Defender does not support deleting the high availability configuration. Call F5 Support if you need to unconfigure high availability.

624614

If you attempt to delete more than 10 protected objects at once, DDoS Hybrid Defender may not complete the deletion process successfully. Therefore, F5 recommends deleting fewer than 10 protected objects at a time. Otherwise, if you need to clean up configuration objects left-over from deleting more than 10, F5 support can help you resolve configuration inconsistencies.

626578

If the connection to Silverline does not succeed when the configuration is entered for the first time, the Silverline configuration may have been lost. Workaround: Click the Silverline tab and re-enter the configuration data.

638708

For a Protected Object, when updating the Maximum Bandwidth to Infinite and Scrubbing Threshold to Absolute (Enable External Redirection), the update fails with the following error message: Following Errors were found transaction failed:01071b08:3: Scrubber percentage threshold property requires throughput capacity to be configured on Virtual Server protected_obj.

When changing the logging destination from Splunk to Arcsight on the Logging tab, the logging destination does not get updated to the correct remote logging format.

Workaround: To change the logging format, first set the remote logging format to Disabled, click Update, then change it to Arcsight, and click Update again.

680730

The system cannot successfully create an HA pair if the device name and hostname are different.

Workaround: In an HA pair, use the same names for both the device name and hostname.

Upgrade info

To upgrade to DDoS Hybrid Defender 13.1.0-3.0, it is recommended that the system be running version 13.0.0-2.1 before you begin. During the upgrade process, you will need to install the latest rpm, update the system image, update the configuration, then if using Silverline, re-enter your credentials.

Following are the steps to upgrade DDoS Hybrid Defender to 13.1.0-3.0:

Download the 13.1.0-3.0 rpm from the F5 downloads site at https://downloads.f5.com.

Log onto DDoS Hybrid Defender and start the upgrade (using the rpm you downloaded) from the About tab.

After the rpm is installed, a message on the About tab tells you that you need to update the system image to 13.1.0. Get the BIG-IP 13.1.0 system image from the downloads site and install it on the system (see Installation overview for details).

You see the message Configuration Update Required. Older Configuration Detected. You must migrate your configuration to continue. Click Start.

The system updates the configurations, and you see a migration status of Success for all except if using Silverline. Click Done to display the Quick Configuration screens.

If using Silverline, click the Silverline tab and type the username and password for your account.

That completes the upgrade process.

Installation overview

This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP Systems: Upgrading Software, and we strongly recommend that you reference this information to ensure successful completion of the installation process.

Download the .iso file (if needed) from F5 Downloads to /shared/images on the source for the operation. (If you need to create this directory, use the exact name /shared/images.)

Configure a management port.

Set the console and system baud rate to 19200, if it is not already.

Log on as an administrator using the management port of the system you want to upgrade.

Boot into an installation location other than the target for the installation.

Save the user configuration set (UCS) in the /var/local/ucs directory on the source installation location, and copy the UCS file to a safe place on another device.

Log on to the standby unit, and only upgrade the active unit after the standby upgrade is satisfactory.

Turn off mirroring.

If you are running Application Acceleration Manager, set provisioning to Minimum.

If you are running Policy Enforcement Manager, set provisioning to Nominal.

If you are running Advanced Firewall Manager, set provisioning to Nominal.

Installing the software

You can install the software at the command line using the Traffic Management shell, tmsh, or in the browser-based Configuration utility using the Software Management screens, available in the System menu. Choose the installation method that best suits your environment.

Sample installation command

Post-installation tasks

This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP Systems: Upgrading Software, and we strongly recommend that you reference this information to ensure successful completion of the installation process.

After the installation finishes, you must complete the following steps before the system can pass traffic.

Installation tips

The upgrade process installs the software on the inactive installation location that you specify. This process usually takes between three minutes and seven minutes. During the upgrade process, you see messages posted on the screen. For example, you might see a prompt asking whether to upgrade the End User Diagnostics (EUD), depending on the version you have installed. To upgrade the EUD, type yes, otherwise, type no.

You can check the status of an active installation operation by running the command watch tmsh show sys software, which runs the show sys software command every two seconds. Pressing Ctrl + C stops the watch feature.

If installation fails, you can view the log file. The system stores the installation log file as /var/log/liveinstall.log.

F5 Networks Technical Support

Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.

AskF5

AskF5 is your storehouse for thousands of knowledgebase articles that help you manage your F5 products more effectively. Whether you want to browse periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.

F5 DevCentral

The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.

AskF5 Publication Preference Center

To subscribe, click AskF5 Publication Preference Center, enter your email address, select the publications you want, and click the Submit button. You will receive a confirmation email. You can unsubscribe at any time by clicking the Unsubscribe link at the bottom of the email, or on the AskF5 Publication Preference Center screen.

TechNews Weekly eNewsletters: Up-to-date information about product and hotfix releases, new and updated articles, and new feature notices.

TechNews Notifications: Periodic plain text TechNews, sent any time F5 releases a product or hotfix. (This information is always included in the next weekly HTML TechNews email.)